Earlier this year, we had a problem with tailgaters; employees entering the building when the person in front of them opened the door with their badge. We considered many costly hardware and software solutions. In the end, we broadcast a humorous video at an all-hands meeting that involved the CEO and CTO getting into fisticuffs because one tailgated on the other. Now the entire company knows that they have the authority to challenge tailgaters every day.

A successful security awareness program needs to be interactive. "Death by PowerPoint" doesn't work - employees simply click through to get the training complete. Make the awareness program personal. Many of the key takeaways from a tuned awareness program will not only support best practices in the workplace, but also in their personal lives.

Making people ‘aware’ of something, and why it’s important, is just the first step in a successful awareness program. The next essential step is making sure they have what they need, such as tools and/or clear instructions, in order for them to follow through. And finally, to prevent individual or organizational forgetfulness, people need to be accountable for their adherence to the program. This is the fundamental part that is missing in many awareness programs.

Don’t put your end users in a situation where they have to decide if their actions could be a risk. Think about the end user’s machine and how it can be imaged and enforced for security from the start. For example, implement a least privileged model for users accessing systems and never give standard users admin rights. Only give user access to applications based on that application’s vulnerability profile. Wetware continues to be the number one factor involved in security breaches.

A good security awareness program should not be considered a once-a-year activity to achieve a checkmark for a compliance standard. It needs to have activities on a frequent basis and contain a variety of elements (i.e. newsletter, test phish email, lunch and learn sessions, email tips, physical security checks, clean desk review, etc.) to maintain currency and relevancy. Since technology cannot protect us or our users all the time, a good awareness program’s goal is to encourage others to develop good security habits.

Threats adapt as fast or faster than the apps we use every day – simple training won’t keep up. Protecting people is not about addressing the expected pitfalls, it’s about understanding the intent of malicious actors to stop them in their tracks. The most important information our coworkers need is what the malicious actors are targeting, this simple intelligence makes us all more attack resistant. Don’t leave your valuables on your car seat, right…